Skype accounts can be hacked with an email address

This site may earn affiliate commissions from the links on this page. Terms of use.

A vulnerability has been made public today that allows anyone to gain control over a Skype account. All you need is the email address of the account and within a few minutes you can lock the real user out and use it as your own.

The Skype account hack can be completed in 6 very simple steps, but why is this possible without ever knowing the Skype user’s password? It simply comes down to the way in which Skype, and therefore Microsoft, handles resetting a forgotten password for the service.

Typically, in order to reset a password a service contacts the user through their email address. As the user is the only person who should have access to their mailbox this is a relatively safe way to allow a password reset. However, Skype breaks this rule by allowing a password reset directly in the Skype app and through a web browser.

What an attacker can do is register a dummy Skype account using the same email address as the person they want to steal an account from. Once registered, a password reset can be requested by the attacker for their dummy account. However, as there is more than one Skype name associated with the email address, the password reset process allows the selection of either name for a password reset.

It’s at that point the security fails as the attacker can reset the other user’s password, and as the other user’s Skype name was listed as part of the reset process, they now have the complete login credentials for that account. The real user is left scratching their head as the next time they try to login their password will be rejected.

Microsoft is aware of the vulnerability, but has been for around 3 months without a fix being issued. Hopefully, now it has been made public the Skype team will react quickly.

If you want to ensure your Skype account is safe until then, the only thing you can do is change the email address to something nobody knows.

Update: Skype has issued the following statement regarding the vulnerability:

“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority.”